There’s one problem, though. In current OSSEC version 2.6 that configuration will leave you with AR rule, if once triggered, staying in loop forever. For example, if a common web attack is detected and you’ve configured OSSEC to respond with firewall drop AR, upon the timeout the offensive IP address will be deleted from the firewall configuration and re-added immediately after that. Thus, this cycle will continue endlessly.